Symbolic Data Structure for sets of k-uples of integers

Size: px

Start display at page:

Download "Symbolic Data Structure for sets of k-uples of integers"

Jessica Wright
6 years ago
Views:

1 Symbolic Data Structure for sets of k-uples of integers Pierre Ganty 1, Cédric Meuter 1, Laurent Van Begin 1, Gabriel Kalyon 1, Jean-François Raskin 1, and Giorgio Delzanno 2 1 Département d Informatique, Université Libre de Bruxelles 2 Dipartimento di Informatica e Scienze dell Informazione, Università degli Studi di Genova Abstract. In this document we present a new symbolic data structure dedicated to the manipulation of (possibly infinite) sets of k-uples over integers, initially introduced in [Gan02]. This new data structure called Interval Sharing Tree (IST), is based on sharing trees [ZL95] where each node is labelled with an interval of integers. We present symbolic algorithm on IST for standard set operations and also introduce some specific operation that can be useful in the context of model-checking. 1 Introduction Many systems like multi-threaded programs and communication protocols are very complex to devise, hence error prone. For almost three decades a lot of research has been done in order to formalize and prove or refute properties on such systems. Given a formal description M of the system, we apply model checking methods [CGP99] to verify automatically that some properties hold on M. Those automatic methods manipulate (possibly) infinite sets of configurations of M. In model checking one problem we face off is the state explosion problem. This problem corresponds to a blow up in the size of the sets of configurations being manipulated. One way to overcome that problem is to use a compact symbolic representation of those sets. In our context assuming that those configurations are k-uples over integers, we define Interval Sharing Tree (IST) [Gan02] which is a symbolic representation of sets of k-uples. ISTs are directed acyclic graphbased data structures, where nodes are labelled with intervals of integers. This symbolic data structure benefits from several advantages. First, algorithms can be defined to manipulate ISTs symbolically (i.e. without exploring all path of the graph). Second, the size of an IST I may be exponentially smaller than the size of the set of k-uples it represent. Finally, an IST I can be (semantically) nondeterministic whereas other approaches facing to the state explosion problem traditionally use deterministic data structures (e.g. sharing trees [ZL95], BDD [CGP99],...), thus allowing I to be more compact. The remainder of this document is structured as follows. First, in sec. 2, we introduce interval sharing trees and their semantics. We follow up, in sec. 3,

2 by presenting symbolic algorithms for manipulating this data structure. Finally, in sec. 4, we conclude by presenting a summary of all operations and their complexity. 2 Interval Sharing Tree In the following, Z denotes the set of integers and Z = Z {, + }. The classical order over integer is exted to Z in the usual way: c Z : < c < +. An interval is a pair a, b Z Z such that a b, noted [a, b]. As usual, an interval a, b denotes the set {c Z a c b}. Hence, c [a, b] means that c is in the set corresponding to [a, b]. We note I the set of all intervals. Moreover, we note (a, b] = [a, b] \ {a} and [a, b) = [a, b] \ {b}. Definition 1 (Interval Sharing Tree). An interval sharing tree (IST in short) I, is a labelled directed rooted acyclic graph N, ι, succ where: N = N 0 N 1 N 2... N k N k+1 is the finite set of nodes, partitioned into k + 2 disjoint subsets N i called layers with N 0 = {root} and N k+1 = {} ι : N I {, } is the labelling function such that ι(n) = (resp. ) if and only if n = root (resp. ). succ : N 2 N is the successor function such that: (i) succ() = (ii) i [0, k], n N i : succ(n) N i+1 succ(n) (iii) n N, n 1, n 2 succ(n) : (n 1 n 2 ) (ι(n 1 ) ι(n 2 )) (iv) i [0, k], n 1 n 2 N i : (ι(n 1 ) = ι(n 2 )) (succ(n 1 ) succ(n 2 )) In other words, an IST is a directed acyclic graph where the nodes are labelled with intervals except for two special nodes (root and ), such that (i) the node has no successors, (ii) all nodes from layer i have their successors in layer i+1, (iii) a node cannot have two successors with the same label, (iv) two nodes with the same label in the same layer do not have the same successors. Condition (iii) ensures maximal prefix sharing, i.e. the IST is syntactically deterministic. It does not mean that an IST is semantically deterministic, i.e. a node may have two distinct successors labeled with intervals that are not disjoint. Condition (iv) ensures maximal suffix sharing. If a graph satisfies all condition of definition 1 by those two condition, it is called a pre-ist. A path of an IST is a k-uple n 1, n 2,..., n k such that n 1 succ(root), succ(n k ) and i [1, k) : n i+1 succ(n i ). Given an IST I, we note path(i), the set of path of I. The semantics of an IST I, noted [I ] is the set {x Z k n 1,..., n k path(i), i [1, k] : x i ι(n i )}. 3 Operations on IST In this section we present the operations on IST. Those operation are symbolic, i.e. they work on the tree instead of the set of k-uples that are represented.

3 We start in sec. 3.1 by introducing some preliminary operations that will later on. Then, in sec. 3.2, we introduce basic set operations, i.e. emptiness test, membership test, union, intersection and complement. Finally, in sec. 3.3, we present some operations that are useful in the context of model-checking, namely substitution and downward closure. 3.1 Preliminary operations Prefix sharing Given a pre-ist I with k layers, we want to modify I so that it satisfies condition (iii) of definition 1. The idea is to traverse the sharing tree layer-by-layer and to determinize syntactically the nodes of each layer. This algorithm has a wost-case time complexity of O(2 I ). Note however, that this algorithm returns a pre-ist satisfying condition iii, but not necessarily condition (iv). Algorithm 1: enforceprefixsharing(i, k) data: I = N, ι, succ, k N post: n N, n 1, n 2 succ(n) : (n 1 n 2 ) (ι(n 1 ) ι(n 2 )) for i 0 to k do forall n N i do S forall I I s.t. n succ(n) : ι(n ) = I do let n be a new node succ(n ), ι(n ) I forall n succ(n) s.t. ι(n ) = I do succ(n ) succ(n ) succ(n ) N i+1 N i+1 {n } S S {n } succ(n) S Suffix sharing Given a pre-ist I with k layers, we want to transom I so that it satisfies condition (iv) of definition 1. The idea is to traverse the sharing tree layer-by-layer (bottom-up). When we encounter two nodes in same layer with same label and with the same set of sons, we delete one of them (the other one takes its place). Note that this operation preserves condition iii. Therefore, if one wants to enforce both conditions, one must start with enforceprefixsharing().

4 Algorithm 2: enforcesuffixsharing(i, k) data: I = N, ι, succ, k N post: i [0, k], n 1 n 2 N i : (ι(n 1 ) = ι(n 2 )) (succ(n 1 ) succ(n 2 )) for i k downto 1 do forall n N i do forall n N i \ {n} s.t. ι(n) = ι(n ) succ(n) = succ(n ) do forall n N i 1 s.t. n succ(n ) do succ(n ) (succ(n ) \ {n }) {n} N i N i \ {n } Algorithm 3: determinize(i, k) data: I = N, ι, succ, k N post: n N, n 1 n 2 succ(n) : ι(n 1 ) ι(n 2 ) = for i 0 to k do forall n N i s.t. n 1 n 2 succ(n) : ι(n 1 ) ι(n 2 ) do let n be a new node ι(n ) ι(n) forall n N s.t. n succ(n ) do succ(n ) succ(n ) {n } \ {n} L {ι(n ) n succ(n)} let L 2 I be the smallest partition of I L I forall I L do let s be a new node forall t succ(n) s.t. I ι(t) do succ(s) succ(s) succ(t) ι(s) I succ(n ) succ(n ) {s} N i+1 N i+1 {s} N i N i {n } \ {n} enforcesuffixsharing(i, k) Determinization Given an IST I with k layers, we want to eliminate from I the semantical non-determinism that can arise in the successors of a given node while preserving [I ]. After the determinization of a sharing tree, the intevals defined by the successors of any node must be disjoint. The idea of the algorithm is to traverses the sharing tree layer-by-layer and for each node n, compute a new set of disjoint intervals. Then, we create a node s for each such interval and we compute the successors of s, i.e. the successors of nodes that belongs to succ(n)

5 and that have a label containing the label of s. This algorithm has a worst-case complexity of O(2 I ). 3.2 Set operations Emptiness Given an IST I with k layers, we want to decide if [[I ] = holds. The algorithm for that is very simple. Indeed, [I ] = if and only if succ(root) =. This algorithm has a worst-case time complexity of O(1). Algorithm 4: empty(i, k) data : I = N, ι, succ, k N returns: true if and only if [I ] = return succ(root) = Membership Given an IST I with k layers and a k-uple x = x 1,..., x k Z k, we want to determine if x [I ] holds. For that, we present an algorithm for that problem adapted from Covering Sharing Trees [Van03,DRV04] that has a worst-case time complexity O( I ). The algorithm is based on a layer-by-layer traversal of the graph. We first mark the root node of I. Then for each layer i [1, k + 1], we mark all nodes n N i such that x i ι(n) and such that n has a marked predecessor. At the of this procedure, x I holds if and only if the node has at least one marked predecessor. Algorithm 5: memberof(i, k, x) data : I = N, ι, succ, k N, x Z k returns: true if and only if x [I ] holds M {root} for i 1 to k do forall n N i do if (x i ι(n)) ( n M : n succ(n )) then M M {n} return ( n M : succ(n)) Intersection Given two IST I 1, I 2 with k layers, we want to compute an IST I such that [[I ] = [I 1 ] [I 2 ]. The algorithm is adapted from the the algorithm computing the synchronized product of finite automata. Each node in this product is a pair of node from both I 1 and I 2. In this particular case, the interval

6 of a node n 1, n 2 in the product is the intersection of the interval of n 1 and n 2. Unfortunately, this can introduce some prefix and/or suffix redundancy, thus violating conditions (iii) and/or (iv) of definition 1. Therefore, we must enforce those two conditions in the algorithm to turn the resulting pre-ist into an IST. For this reason, this algorithm has a worst-case time complexity of O(2 I1 I2 ). It was proven in [Van03, thm. 20, 21] that for Covering Sharing Trees, which is a subclass of IST, no polynomial algorithm exists for that problem. Algorithm 6: intersection(i 1, I 2, k) data : I 1 = N 1, ι 1, succ 1, I 2 = N 2, ι 2, succ 2, k N returns: I s.t. [I ] = [I 1 ] [I 2 ] I N 0... N k+1, ι, succ for i 0 to k do N i N k+1 { 1, 2 } ι( 1, 2 ) for i k downto 1 do forall n 1, n 2 N1 k N2 k s.t. ι 1 (n 1 ) ι 2 (n 2 ) do ι( n 1, n 2 ) ι 1 (n 1 ) ι 2 (n 2 ) succ( n 1, n 2 ) N k+1 (succ 1 (n 1 ) succ 2 (n 2 )) if succ( n 1, n 2 ) then N k N k { n 1, n 2 } N 0 { root 1, root 2 } ι( root 1, root 2 ) succ( root 1, root 2 ) N 1 enforceprefixsharing(i, k) enforcesuffixsharing(i, k) return I Union Given two IST I 1, I 2 with k layers, we want to compute an IST I such that [I ] = [I 1 ] [I 2 ]. This can be done using the algorithm to compute the union of two sharing trees defined in [ZL95]. This algorithm uses two recursive functions recunion() and reccopy(). The function recunion() computes the union of a sub-tree of I 1 rooted in n 1 and a sub-tree of I 2 rooted in n 2. The roots of these sub-trees must have the same labels. The function reccopy() copies a sub-tree of I 1 or I 2 in I. Those two function make use of a hashing table T to remember previous computations. When the union of two sub-trees rooted respectively in n 1 and n 2 is computed and added in I, the resulting node is stored in T, indexed by the pair n 1, n 2. Similarly, when a sub-tree rooted in n is copied in I, the copied node is stored in T, indexed by the pair n, n. This is essential in order treat every pair of nodes only once, thus allowing a polynomial

7 complexity. Note that condition iv does not necessarily holds on the result and must therefore be enforced. This algorithm has a worst-case time complexity of O(( I 1 + I 2 ) 3 ). Algorithm 7: recunion(n 1, n 2, i) if T (n 1, n 2 ) is defined then n T (n 1, n 2 ) else let n be a new node ι(n) ι 1 (n 1 ) N i N i {n} forall n 1 succ 1 (n 1 ) do if n 2 succ 2 (n 2 ) s.t. ι 1 (n 1) = ι 2 (n 2) then succ(n) succ(n) {recunion(n 1, n 2, i + 1)} else succ(n) succ(n) {reccopy(n 1, 1, i + 1)} forall n 2 succ 2 (n 2 ) do if n 1 succ 1 (n 1 ) : ι 1 (n 1) ι 2 (n 2) then succ(n) succ(n) {reccopy(n 2, 2, i + 1)} T (n 1, n 2 ) n return n Algorithm 8: reccopy(n, x, i) if T (n, n) is defined then n T (n, n) else let n be a new node ι(n ) ι x (n) N i N i {n } forall n succ x (n) do succ(n ) succ(n ) {reccopy(n, x, i + 1)} T (n, n) n return n

8 Algorithm 9: union(i 1, I 2, k) data: I 1 = N 1, ι 1, succ 1, I 2 = N 2, ι 2, succ 2, k N returns: I s.t. [I ] = [I 1 ] [I 2 ] I N 0... N k+1, ι, succ forall i 0 to k do N i recunion(root 1, root 2, 0) enforcesuffixsharing(i, k) return I Algorithm 10: complement(i, k) data : I = N, ι, succ, k N returns: I 1 such that [I 1 ] = Z k \ [I ] I 1 I determinize(i 1 ) M N k 1 1 for i 0 to k do forall n N i 1 do L {ι 1 (n ) n succ 1 (n)} let L 2 I be the smallest partition of Z \ ( I L I) forall I L do let n be a new node ι 1 (n ) I, succ 1 (n) succ 1 (n) {n } forall n M do succ 1 (n) ; N i+1 1 N i+1 1 {n } forall n N k 1 1 \ M do succ 1 (n) 1 for i k downto 1 do forall n N i do if succ 1 (n) = then N i 1 N i 1 \ {n} forall n N i 1 s.t. n succ 1 (n ) do succ 1 (n ) succ 1 (n ) \ {n} enforcesuffixsharing(i 1, k) return I 1

9 Complement Given an IST I with k layers, we want to compute an IST I 1 such that [I 1 ] = Z k \ [I ]. First, we take a copy I 1 of I, and determinize it. Then, for each node n of I 1, we complement the set of intervals defined by the successors of n to obtain a partition of Z. We create a new node for each of these new intervals and add these new nodes to succ(n). In fact, these new nodes allow to consider the k-uples that do not belong to [I ]. To delete the k-uples that belong to [I ], we delete the edges between the nodes of the layer N1 k that were copied from I 1 and the node 1. Finally, we delete from the IST all path not ing in Dedicated operations Substitution Given an IST I with k layers, we want to compute an IST I 1 where a certain variable x i is replaced by x i + d with d Z. Formally, we want that [[I 1 ] = [I ] [xi+d/x i] = { x 1,..., x i + d,..., x k x I}. This operation can be done very simply, by shifting all interval of layer i. Note that this transformation does not violate condition (iv) of (iii). Algorithm 11: substitution(i, k, i, d) data : I = N, ι, succ, k N, i [1, k], d Z returns: I 1 s.t. [I 1 ] = [I ] [xi+d/x i] I 1 N, ι 1, succ forall n N \ N i do ι 1 (n) ι(n) forall n N i do l, u ι(n) ι 1 (n) l + d, u + d return I 1 Downward Closure Given a subset S Z k, the downward closure of S, noted S is the set with k-uple smaller than a k-uple of S. Formally, S = {x Z k x S i [1, k] : x i x i }. Hence, given an IST I with k layers, we want to compute an IST I 1 such that [I 1 ] = [I ]. The algorithm works as follows. The left bound of all nodes is set to. This transformation can introduce some prefix and/or suffix redundancy, thus violating conditions (iii) and/or (iv) of definition 1. Therefore, we must enforce those two conditions in the algorithm. The algorithm has a worst-time complexity O(2 I ).

10 Operation Effect Complexity enforceprefixsharing(i, k) enforce condition (iii) on I O(2 I ) enforcesuffixsharing(i, k) enforce condition (iv) on I O(( I ) 2 ) determinize(i, k) semantically determinize I O(2 I ) empty(i, k) test if [[I]] = holds O(1) memberof(i, k, x) test if x [[I]] holds O( I ) union(i 1, I 2, k) compute I s.t. [[I]] = [[I 1]] [[I 2]] O(( I 1 + I 2 ) 3 ) intersection(i 1, I 2, k) compute I s.t. [[I]] = [[I 1]] [[I 2]] O(2 I 1 I 2 ) substitution(i, k, i, d) computes I 1 s.t. [[I 1]] = [[I]] [xi +d/x i ] O( I ) complement(i, k) compute I 1 s.t. [[I 1]] = Z k \ [[I]] O(2 I ) downwardclosure(i, k) compute I 1 s.t. [[I 1]] = [[I]] O(2 I ) Table 1. Operations on IST and their complexity Algorithm 12: downwardclosure(i, k) data : I = N, ι, succ, k N returns: I 1 s.t. [I 1 ] = [I ] forall n N do l, u ι(n) ι 1 (n), u I 1 N, ι 1, succ enforceprefixsharing(i 1 ) enforcesuffixsharing(i 1 ) return I 1 4 Conclusion In this paper, we defined a symbolic data structure for sets of k-uples of integers, called Interval Sharing Trees. We presented algorithms in order to manipulate this data structure symbolically. Those operations include traditional set operations as well as specific operation dedicated to model-cheking, and are summarized, along with complexity in tab. 1. References [CGP99] Edmund M. Clarke, Orna Grumberg, and Doron Peled. Model checking. MIT Press, Cambridge, MA, USA, [DRV04] Giorgio Delzanno, Jean-Francois Raskin, and Laurent Van Begin. Covering sharing trees: A compact data structure for parameterized verification. Software Tools for Technology Transfer manuscript, 2004.

11 [Gan02] Pierre Ganty. Algorithmes et structures de données efficaces pour la manipulation de contraintes sur les intervalles. Master s thesis, Université Libre de Bruxelles, [Van03] Laurent Van Begin. Efficient Verification of Counting Abstractions for Parametric systems. PhD thesis, Université Libre de Bruxelles, [ZL95] Denis Zampunieris and Baudouin Le Charlier. Efficient handling of large sets of tuples with sharing trees. In Proceedings of the 5th Data Compression Conference (DCC 95), page 428. IEEE Computer Society Press, 1995.

Antichain Algorithms for Finite Automata

Antichain Algorithms for Finite Automata Laurent Doyen 1 and Jean-François Raskin 2 1 LSV, ENS Cachan & CNRS, France 2 U.L.B., Université Libre de Bruxelles, Belgium Abstract. We present a general theory